|
| 1 | +.. bpo: 29778 |
| 2 | +.. date: 2020-07-03-17-21-37 |
| 3 | +.. nonce: cR_fGS |
| 4 | +.. release date: 2020-08-19 |
| 5 | +.. section: Security |
| 6 | +
|
| 7 | +Ensure :file:`python3.dll` is loaded from correct locations when Python is |
| 8 | +embedded (CVE-2020-15523). |
| 9 | + |
| 10 | +.. |
| 11 | +
|
| 12 | +.. bpo: 41004 |
| 13 | +.. date: 2020-06-29-16-02-29 |
| 14 | +.. nonce: ovF0KZ |
| 15 | +.. section: Security |
| 16 | +
|
| 17 | +CVE-2020-14422: The __hash__() methods of ipaddress.IPv4Interface and |
| 18 | +ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and |
| 19 | +128 respectively. This resulted in always causing hash collisions. The fix |
| 20 | +uses hash() to generate hash values for the tuple of (address, mask length, |
| 21 | +network address). |
| 22 | + |
| 23 | +.. |
| 24 | +
|
| 25 | +.. bpo: 39073 |
| 26 | +.. date: 2020-03-15-01-28-36 |
| 27 | +.. nonce: 6Szd3i |
| 28 | +.. section: Security |
| 29 | +
|
| 30 | +Disallow CR or LF in email.headerregistry.Address arguments to guard against |
| 31 | +header injection attacks. |
| 32 | + |
| 33 | +.. |
| 34 | +
|
| 35 | +.. bpo: 38576 |
| 36 | +.. date: 2020-03-14-14-57-44 |
| 37 | +.. nonce: OowwQn |
| 38 | +.. section: Security |
| 39 | +
|
| 40 | +Disallow control characters in hostnames in http.client, addressing |
| 41 | +CVE-2019-18348. Such potentially malicious header injection URLs now cause a |
| 42 | +InvalidURL to be raised. |
| 43 | + |
| 44 | +.. |
| 45 | +
|
| 46 | +.. bpo: 39503 |
| 47 | +.. date: 2020-01-30-16-15-29 |
| 48 | +.. nonce: B299Yq |
| 49 | +.. section: Security |
| 50 | +
|
| 51 | +CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class |
| 52 | +of the :mod:`urllib.request` module uses an inefficient regular expression |
| 53 | +which can be exploited by an attacker to cause a denial of service. Fix the |
| 54 | +regex to prevent the catastrophic backtracking. Vulnerability reported by |
| 55 | +Ben Caller and Matt Schwager. |
| 56 | + |
| 57 | +.. |
| 58 | +
|
| 59 | +.. bpo: 38945 |
| 60 | +.. date: 2019-12-01-22-44-40 |
| 61 | +.. nonce: ztmNXc |
| 62 | +.. section: Security |
| 63 | +
|
| 64 | +Newline characters have been escaped when performing uu encoding to prevent |
| 65 | +them from overflowing into to content section of the encoded file. This |
| 66 | +prevents malicious or accidental modification of data during the decoding |
| 67 | +process. |
| 68 | + |
| 69 | +.. |
| 70 | +
|
| 71 | +.. bpo: 38804 |
| 72 | +.. date: 2019-11-15-00-54-42 |
| 73 | +.. nonce: vjbM8V |
| 74 | +.. section: Security |
| 75 | +
|
| 76 | +Fixes a ReDoS vulnerability in :mod:`http.cookiejar`. Patch by Ben Caller. |
| 77 | + |
| 78 | +.. |
| 79 | +
|
| 80 | +.. bpo: 39017 |
| 81 | +.. date: 2020-07-12-22-16-58 |
| 82 | +.. nonce: x3Cg-9 |
| 83 | +.. section: Library |
| 84 | +
|
| 85 | +Avoid infinite loop when reading specially crafted TAR files using the |
| 86 | +tarfile module (CVE-2019-20907). |
| 87 | + |
| 88 | +.. |
| 89 | +
|
| 90 | +.. bpo: 41183 |
| 91 | +.. date: 2020-07-01-16-59-46 |
| 92 | +.. nonce: 9stVAW |
| 93 | +.. section: Library |
| 94 | +
|
| 95 | +Use 3072 RSA keys and SHA-256 signature for test certs and keys. |
| 96 | + |
| 97 | +.. |
| 98 | +
|
| 99 | +.. bpo: 39503 |
| 100 | +.. date: 2020-03-25-16-02-16 |
| 101 | +.. nonce: YmMbYn |
| 102 | +.. section: Library |
| 103 | +
|
| 104 | +:class:`~urllib.request.AbstractBasicAuthHandler` of :mod:`urllib.request` |
| 105 | +now parses all WWW-Authenticate HTTP headers and accepts multiple challenges |
| 106 | +per header: use the realm of the first Basic challenge. |
0 commit comments